1. The Field of the Invention
The present invention generally relates to securing communication between modules. More particularly, the present invention provides for efficiently establishing a secure communication between modules by utilizing a secured shared memory to ensure that the modules reside on the same computing device.
2. Background and Related Art
Computer networks have enhanced our ability to communicate and access information by allowing one computer or device to communicate over a network with another computing device using electronic messages. When transferring an electronic message between computing systems, the electronic message will often pass through a protocol stack that performs operations on the data within the electronic message (e.g., packeting, routing, flow control, etc.). The Open System Interconnect (OSI) model is an example of a networking framework for implementing such protocol stack.
The OSI model breaks down the operations for transferring an electronic message into seven distinct “layers,” each designated to perform certain operations in the data transfer process. While protocol stacks can potentially implement each of the layers, many protocol stacks implement only selective layers for use in transferring data across a network. When data is transmitted from a computing system, it originates at the application layer and is passed to intermediate lower layers and then onto a network. When data is received from a network it enters the physical layer and is passed up to the higher intermediate layers and then eventually received at the application layer. The application layer (the upper most layer) is responsible for supporting applications and end-user processes, such as, electronic conferencing software.
Often, when computing modules or processes are to communicate with each other, the computing systems will first establish a communication session. For example, in a network environment or on a single machine, a client application will request access to a resource of a server application. If an appropriate request is received by the server application, the server application can then respond by sending the requested resource to the client application.
In order to increase the likelihood of a secure communication between the client and a server, there are many typical security mechanisms that can be used depending upon the OSI layer and the protocol. For example, a layer incorporated by most protocol stacks is the transport layer, which can provide the features of end-to-end error recovery, re-sequencing, and flow control to the application layer. An example of a transport layer protocol that implements these features is the Transmission Control Protocol/Internet Protocol (TCP/IP).
At this layer, and at higher layers, in a protocol stack (e.g., an application layer) a handshake sequence (e.g., Secure Socket Layers (SSL) handshake) is frequently used to establish a secure communication between a client module and a server module, either on different systems or within the same device. During such handshake sequence, a client and a server can exchange version number, ciphering settings, and other communication information necessary to communicate using SSL. Once established, an SSL secure communication allows the client and the server to cooperate in the creation of session keys for encryption, decryption and tamper protection (e.g., digital signing) of electronic messages transferred between the client and the server.
Of course there are many other ways of establishing a secure communication and authenticating the client and/or server. For example, a public key, private key pair can be used to authenticate and validate electronic data. In a public key/private key scheme, the author encrypts the data using a private key. The encrypted data can only be decrypted using the author's public key. Accordingly, the recipient of data can access the public key and upon properly decrypting the data, the recipient can be certain that the data originated with the author. For extra security, the data can be encrypted several times, using several layers of public and private keys of both the author and the recipient.
As mentioned above, the upper most layer in the OSI model is the application layer. The functionality of lower layers of a protocol stack is typically abstracted from the application layer. That is, application data is transferred to and from an application layer through the lower layers, without exposing the functionality of the lower layers to the application layer. Abstraction can make it appear to a number of application layer processes at different computing systems that the application layer processes are directly connected to one another (when in fact lower layers in the corresponding protocol stacks process data as data transfer between the application layer processes). Accordingly, communication between two application layer processes can be viewed as a logical connection on a single machine regardless of the underline physical network that facilitates the communication.
There are many instances, however, when processes should be validated as being on a single machine, e.g., for configuration purposes or as an added security layer. Although the above identified techniques for ensuring a secure communication work well for communications between multiple machines, none of these techniques can be used to efficiently ensure that two modules within a communication (e.g., client/server) reside on a single machine.
For example, the handshake sequence previously described only ensures that one module has authenticated another module for establishing a communication. This security measure, however, does not ensure that the two modules reside on the same machine. Further, even though the above described session keys and public/private key pairs for encryption and decryption (as well as digital signing) might be used for ensuring that the processes reside on the same machine, such use would be a heavy burden on the limited recourses of a single computing system. This is especially true for such protocols that act as first-in-first-out folders, e.g., Named Pipes. Accordingly, there exists a need for efficiently establishing a secure communication by establishing that two modules reside on the same computing device.